Thanks for the pointers! Elasticsearch response showed the following error message:
Fielddata is disabled on text fields by default. Set fielddata=true on [proxy_upstream_name] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory.
Which lead me to this Elasticsearch page and then I queried my logstash-* mappings in elasticsearch like so:
curl https://my-elasticsearch.us-east-1.es.amazonaws.com:443/logstash-*
Looked at the mapping for proxy_upstream_name:
"proxy_upstream_name": {
"fields": {
"keyword": {
"ignore_above": 256,
"type": "keyword"
}
},
"type": "text"
Saw that it already had a keyword, so I merely had to change my group by term name to proxy_upstream_name.keyword and groupings worked! Hooray.
